So what are Google and Apple doing with this location data? And Microsoft, now that it’s clear they’re gathering it too (but they claim they aren’t storing it anywhere on the phone).

They aren’t saying a lot, but they’ve said enough to take a pretty good guess. And no, I don’t think the intent is to be evil.
Last year, when faced with another privacy dust-up, Apple said, “To provide the high quality products and services that its customers demand, Apple must have access to the comprehensive location-based information.” They haven’t commented, to my knowledge, on this year’s dust up, but the same reason they gave then would appear to apply toay.

So what on earth does that mean?

I talked to Rich Perkins, CISSP, about it. I knew Rich wouldn’t have a middle-of-the-road opinion on something like this, but honestly didn’t know which side of the fence he’d be on.

“I’m not here,” he told me.

“Ah, but does your phone know where you are?”

“Yes it does.”

“And does that bother you?”

He said not really. He said the phone needed to know, in order to provide better functionality, and he suggested I do a little research on A-GPS, because he thought that was the main thing the phones are doing. So I did.

GPS devices–including phones–triangulate against various things in order to tell you where you are. A pure GPS just triangulates against satellites. Cell phones triangulate against cell phone towers and/or GPS devices. If you can triangulate against wifi access points too, it makes it that much easier to determine where you are. More data points.

That’s one reason why, when Google photographs a street, they also record the SSIDs of every wi-fi network they find. Between these vans and the growing number of Android-toting consumers, Google is able to build a rather large, comprehensive database so that if you want to ask your phone where you are, it will know. Using more than GPS is called A-GPS, or Assisted GPS.

He said when he uses Google Maps on his Android phone, he can see its accuracy increase and decrease based on what he has turned on. When he’s walking around with wi-fi enabled, it may not know which side of the street he’s on, but it can narrow him down to within about 50 feet.

And he thinks that’s the motive for Apple, Google, and Microsoft. If we travel the same path over and over again, that tells them that area is important to us, so our phones need to know about that area. And, thinking larger, if large numbers of people are traveling a particular area, that tells the companies that’s an important area and they need to focus on learning what they can about that area, as opposed to an area a few blocks away where nobody goes.

Having talked to some people with much more familiarity with the iPhone than me, accidental copying of the file in question seems unlikely. It’s not automatic; you do have to pair the iPhone with the computer for it to sync. The question is who else can see your phone and the backup on your computer, and whether you trust those people with that data. One iPhone owner I talked to just shrugged his shoulders. He lives alone, so nobody else is going to see the data. He has iTunes set to encrypt his backups, so he doesn’t worry about it.

My concern is that backups should be encrypted by default. I run into people far too often who don’t know what encryption is and how it protects them, so why confuse people by creating the option. When I go buy something off Amazon, it doesn’t ask me if I want to encrypt my username and password and credit card data. It just does it.

Frankly, I think the file on the phone should be encrypted too.

Google’s approach (and Microsoft’s) bothers me less. Google keeps less data, the file stays on the phone and by default isn’t readable by anything but the phone’s operating system, and you can turn it off. Microsoft doesn’t write anything at all to the phone, from what it says.

The companies’ responses tell you something too. Apple has been silent since Wednesday. Google responded over the weekend, and while I can’t tell from the WSJ article whether the Google representative told how to disable it, there was enough information there to tell how to disable it. Microsoft, with arguably the best approach of the three, is gloating a little. Something it doesn’t get to do very often.

So I don’t think there’s anything particularly nefarious going on. Rich pointed out that when Apple introduced multitasking to iOS, they said outright that they would have to do location tracking in a file in order for applications to figure out where they are. So even Apple has come clean. But memories are short.

I think all of them need to release a statement, from a PR standpoint. Otherwise, they’re making it look like they have something to hide. And it’s not like they’re hiding any competitive advantage. If Rich can figure out what they’re doing, surely the engineers who do nothing but develop phones full-time know what their counterparts at the other companies are doing.

And I do think files containing that kind of information should be difficult to access, and ideally they should be encrypted. Microsoft has the best approach, by not writing the file at all. Google’s approach of making the file only accessible to the operating system by default and only storing a few days’ worth of information is better, though it still falls a little short of the ideal. Apple stores too much information and makes it too easy to get at. But, in retrospect, they warned us. Like I said, memories are short.

I was a rotary phone person until just a few years ago so I don’t know much about iphones, etc. Is the present day cell phones better than the ones on Law and Order that could be tower triangulated to find the bad guy?
If Apple and android encrypts would that make any difference in your privacy? Only the hackers would be left out.

Triangulating against cell phone towers definitely works, and it’s a common tactic in search and rescue missions. But it’s not as accurate as they show on TV–triangulating against available cell towers gets you in the vicinity. Add wi-fi access points to the mix and you can narrow it down a little more. In reality, if the bad guy is at 18th and Vine, triangulation can tell you that, but not which of the four buildings he’s in. Not with certainty. And it certainly can’t tell you what table he’s eating dinner at. On the flip side, I’m sure people who’ve gotten lost in the woods appreciated the rescuers being able to zone in on an area based on a cell phone signal. It’s a two-edged sword. If I were lost in the woods, I’d turn off my phone to save battery power, then turn it back on once I knew someone was looking for me.

But yeah, I’m mostly interested in keeping the hackers out. I have no reason to fear the authorities. Once when someone threatened to call the cops on me, I held out my phone to her and said here, go ahead, call. It’s people with a grudge and no accountability that I fear. And if one of them got hold of my phone and learned more about my daily habits from it, I’d really have reason to be afraid. I’ve been followed by spooks and I’ve been followed by thugs with grudges. I won’t go into the details of either, but I’d much rather have the spooks.

My understanding has been that cell tower triangulation can narrow location to about a city block best case. True satellite based GPS, a couple meters. So do cell phones these days contain real GPS receivers? If so then no need for cell tower triangulation or other assists. Probably a misnomer to call assisted triangulation A-GPS, but, if tower triangulation is the baseline then correlation with know locations of wifi hot spots could pinpoint a phone within its footprint or approximately 50 meters. Triangulating hot spots could further reduce the error. Down to 10 meters perhaps? Just a guess. Good enough to push location based advertising to the phone, tablet, what have you. Also works to lesser degree with devices that are wifi only. Billboards are so yesterday when Pablos Taco Wagon is having a two for one Burrito special just two blocks ahead on the right. Would you like directions? If you have a Near Field Communications chip (NFC) in your phone, you can use that instead of a (physical) credit card and Google (or somebody) will process the payment from you to Pablo easy peasy.

One scenario.

If Apple and android encrypts, would that make any difference in your privacy? Only the hackers would be left out.

And you, since you won’t be able to decrypt the data the device stores either, which leaves this a vehicle of transport that could contain virtually any type of information and you would be none the wiser. Perhaps these third parties would be willing to share their keys with you, or you with them? On the other hand who says these packets of info must be held in a stored file when it could as well be held in memory for transfer at next opportunity if not relayed in (the case of always on cellular connections) near real time?

At its fundamental we should note the distinction between data collection and dissemination within an application versus an operating system. If we are using Google Maps for example, then yes we would likely wish to provide our location information. Saves us having to input the information ourselves and thus a convenience feature. Might want to have the option though. Outside of userland applications? Full time tracking by the OS? Must it be an either/or proposition where we maintain some control over our privacy only at the expense of reduced functionality? Something of a question hardly worth the bother of debate if location tracking is “in application” only and turned off by default. Let the user “opt in” by their program selections and alternately, by their informed approvals wherever location features might be considered optional and not implicit by definition given the core functionality of the program itself.

I have never been a fan of “opt out” whenever users might not realize they have been opted into something by default and small print legalese within click through agreements don’t count in my estimation. I certainly do question location tracking as a core function of an OS and likewise question the motives of any entity that puts it there.